App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obfuscation
0 likes1,106 views
This document discusses software obfuscation techniques using C++ metaprogramming. It presents several implementations of string obfuscation using templates to encrypt strings at compile-time. It also discusses obfuscating function calls using finite state machines generated with metaprogramming. Debugger detection is added to fight dynamic analysis. The techniques aim to make reverse engineering and static/dynamic analysis more difficult without changing program semantics.
![1st implementation
template<int... Indexes>
struct MetaString1 {
constexpr MetaString1(const char* str)
: buffer_ {encrypt(str[Indexes])...} { }
const char* decrypt();
RUNTIME
private:
constexpr char encrypt(char c) const { return c ^ 0x55; }
constexpr char decrypt(char c) const { return encrypt(c); }
private:
char buffer_[sizeof...(Indexes) + 1];
};
19](https://image.slidesharecdn.com/appsecforum2014-andrivet-cplusplus11metaprogrammingappliedtosoftwareobfuscation-141203065846-conversion-gate01/85/App-secforum2014-andrivet-cplusplus11-metaprogramming_applied_to_software_obfuscation-19-320.jpg)
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obfuscation
- 1. C+ +11 METAPROGRAMMING A P P L IED TO SOF TWARE OBFUSCAT ION SEBAST IEN ANDRIVET Application Security Forum - 2014 Western Switzerland 05-06 November 2014 Y-Parc / Yverdon-les-Bains http://www.appsec-forum.ch 1
- 2. About me Senior Security Engineer a t SCRT (Swiss) Deve l o p e r a t ADVTOOLS (Swiss) Sebastien ANDRIVET Cyberfeminist & hack t i v i s t Reverse engineer Intel & ARM C + + , C , O b j - C , C # d e ve l o p e r Trainer ( iOS & Android appsec) 2
- 3. PROBLEM 3
- 4. Reverse engineering • Reverse engineering of an application if often like following the “white rabbit” • i.e. following string literals • Live demo • Reverse engineering of an application using IDA • Well-known MDM (Mobile Device Management) for iOS 4
- 6. What is Obfuscation? 6
- 7. Obfuscator O O( ) = 7
- 8. YES! It is also Katy Perry! • (almost) same semantics • obfuscated 8
- 9. “Deliberate act of creating source or machine code difficult for humans to understand” –WIKIPEDIA, APRIL 2014 Obfuscation 9
- 10. C++ templates • Example: Stack of objects OBJECT2 OBJECT1 • Push • Pop 10
- 11. Without templates c l a s s Stack { v o i d p u s h (void* o b j e c t ) ; void* p o p ( ) ; } ; Stack singers; singers.push(britney); Stack apples; apples.push(macintosh); s i n g e r s apples • Reuse the same code (binary) • Only 1 instance of Stack class 11
- 12. With C++ templates Stack<Singer> singers; singers.push(britney); Stack<Apple> apples; apples.push(macintosh); template<typename T> c l a s s Stack { Stack<Singers> Stack<Apples*> v o i d p u s h ( T o b j e c t ) ; T p o p ( ) ; s i n g e r s apples } ; 12
- 13. With C++ templates Stack<Singer> singers; singers.push(britney); Stack<Apple> apples; apples.push(macintosh); Stack<Singers> Stack<Apples*> s i n g e r s apples 13
- 14. C++ templates • Two instances of Stack class • One per type • Does not reuse code • By default • Permit optimisations based on types • For ex. reuse code for all pointers to objects • Type safety, verified at compile time 14
- 15. Type safety • singers.push(apple); // compilation error • apples.push(U2); • may or may not work… 15
- 16. Optimisation based on types • Generate different code based on types (template parameters) • Example: enable_if template<typename T> class MyClass { ... enable_if_t<is_pointer<T>::value, T> member_function(T t) { ... }; ... }; • member_function is only defined if T is a pointer type • (warning: C++14 code, not C++11) 16
- 17. C++ metaprogramming • Programs that manipulate or produce programs • Subset of C++ • Turing-complete (~ full programming language) • Close to Functional programming • Part of C++ standards • Major enhancements in C++11 et C++14 17
- 18. Application 1 - Strings literals obfuscation • original string is source code • original string in DEBUG builds • developer-friendly syntax • no trace of original string in compiled code in RELEASE builds 18
- 19. 1st implementation template<int... Indexes> struct MetaString1 { constexpr MetaString1(const char* str) : buffer_ {encrypt(str[Indexes])...} { } const char* decrypt(); RUNTIME private: constexpr char encrypt(char c) const { return c ^ 0x55; } constexpr char decrypt(char c) const { return encrypt(c); } private: char buffer_[sizeof...(Indexes) + 1]; }; 19
- 20. 1st implementation - Usage #define OBFUSCATED1(str) (MetaString1<0, 1, 2, 3, 4, 5>(str).decrypt()) cout << OBFUSCATED1(“Britney Spears”) << endl; 20
- 21. 1st implementation - Problem • List of indexes is hard-coded • 0, 1, 2, 3, 4, 5 • As a consequence, strings are truncated! 21
- 22. 2nd implementation • Generate a list of indexes with metaprogramming • C++14 introduces std:index_sequence • With C++11, we have to implement our own version • Very simplified • MakeIndex<N>::type generates: • Indexes<0, 1, 2, 3, …, N> 22
- 23. 2nd implementation • Instead of: MetaString1<0, 1, 2, 3, 4, 5>(str) • we have: MetaString2<Make_Indexes<sizeof(str)-1>::type>(str) 23
- 24. 2nd implementation - Usage cout << OBFUSCATED2(“Katy Perry”) << endl; • No more truncation 24
- 25. 3rd implementation • In previous implementations, key is hard-coded constexpr char encrypt(char c) const { return c ^ 0x55; } • New template parameter for Key template<int... I, int K> struct MetaString3<Indexes<I...>, K> 25
- 26. Generating (pseudo-) random numbers • C++11 includes <random>, but for runtime, not compile time • MetaRandom<N, M> N: Nth generated number M: Maximum value (excluded) • Linear congruential engine • Park-Miller (1988), “minimal standard” • Not exactly a uniform distribution (modulo operation) • Recursive 26
- 27. Seed • template<> struct MetaRandomGenerator<0> { static const int value = seed; }; • How to choose an acceptable compile-time seed? • Macros (C & C++): • __TIME__: compilation time (standard) • __COUNTER__: incremented each time it is used (non-standard but well supported by compilers) 27
- 28. 3rd implementation • Different key for each string • thanks to __COUNTER__ • Different keys for each compilation • thanks to __TIME__ • Sometimes not desirable: can give hints to attackers (differences between versions) 28
- 29. 4th implementation • Different and random keys, great! • Why not go even further? • Choose a different encryption algorithm, randomly! 29
- 30. 4th implementation • Template partial specialization • template<int A, int K, typename Indexes> struct MetaString4; • template<int K, int... I> struct MetaString4<0, K, Indexes<I...>> { … c ^ K … }; • template<int K, int... I> struct MetaString4<1, K, Indexes<I...>> { … c + K … }; • #define DEF_OBFUSCATED4(str) MetaString4<MetaRandom<__COUNTER__, 2>::value, … 30
- 31. Result • Without obfuscation cout << "Britney Spears” << endl; • With obfuscation cout << OBFUSCATED4("Britney Spears") << endl; 31
- 33. With obfuscation Encrypted characters (mixed with MOV) Decryption 33
- 34. Application 2 - Obfuscate calls • How to obfuscate call such as: • function_to_protect(); • against static analysis (or even dynamic analysis)? 34
- 35. Finite State Machine (simple example) 35
- 36. Boost Meta State Machine (MSM) library types template parameter Compile time entity Generates code (FSM) at compile-time 36
- 37. Result • Without obfuscation function_to_protect(“did”, “again”); • With obfuscation OBFUSCATED_CALL(function_to_protect, “did”, “again”); • Even better OBFUSCATED_CALL(function_to_protect, OBFUSCATED(“did”), OBFUSCATED(“again”)); 37
- 40. Application 3: FSM + Debugger Detection • FSM • To fight against static analysis • Debugger detection • To fight against dynamic analysis 40
- 41. Finite State Machine • Follows a different path depending of a predicate (Debugged or not Debugged, that is the question) 41
- 42. More obfuscation • Obfuscate predicate result • Avoid simple “if”, too simple for reverse engineers • Make computation instead • If the example, counter is odd if predicate is false 42
- 43. More obfuscation • Obfuscate function address • Otherwise, IDA is smart enough to get it • Simply make some computation on address • Using MetaRandom (like for strings obfuscation) 43
- 44. Predicate • Debugger detection is only an example • In the example, implemented only for Mac OS X / iOS • Virtual environment detection • Jailbreak detection • Etc 44
- 45. Compilers support Compiler Compatible Remark Apple LLVM 5.1 Yes Previous versions not tested Apple LLVM 6.0 Yes Xcode 6, 6.1 beta LLVM 3.4, 3.5 Yes Previous versions not tested GCC 4.8.2 or higher Yes Previous versions not tested Compile with -std=c++11 Intel C++ 2013 Yes Version 14.0.3 (2013 SP1 Update 3) Visual Studio 2013 No Lack of constexpr support Visual Studio 14 Almost Not far, lack init of arrays CTP3 tested 45
- 46. White paper 46
- 47. Credits 47 • I take inspiration from many sources • In particular: • Samuel Neves & Filipe Araujo • LeFF (virus maker)
- 48. Infos • @AndrivetSeb sebastien@andrivet.com • All code presented here is available on GitHub • https://github.com/andrivet/ADVobfuscator • Contains • obfuscator (in source) • examples • Whitepaper • BSD 3-clauses license 48
- 49. Thank you Questions? 49